The GHOST vulnerability

A serious problem in the Linux glibc library went unnoticed for almost 15 years. A simple coding mistake introduced into the code in November 2000 leaves servers including e-mail servers vulnerable to remote code execution. A buffer overflow in the GNU C Library function __nss_hostname_digits_dots(), which is called by the well used gethostbyname*() functions makes it possible to take over any type of server. In the case of e-mail servers — to take only one example — it is possible to take over a server remotely by sending a well-crafted e-mail exploiting the vulnerability.

Yesterday, Qualysannounced that a serious problem in the Linux glibc library exposes servers to remote code execution. While the problem was already found in May 2013, the security implications of the bug only came to light when Qualys security researchers dived deeper into the issue. The issue was handled as a regular bug and updates were made available in 2013. As this bug was not qualified as a security issue, most systems were not updated.

However, there are clearly security implications to the bug that was found. As illustrated in the picture, taking over an unpatched e-mail server is rather simple as it does not require special credentials whatsoever. It requires detailed knowledge of the bug itself (and as Glibc is open source, the code can be inspected)and a malicious person with exploit writing capabilities to craft an attack vector in order to exploit this vulnerability. It requires the malicious person to send the e-mail to the mail server, which then calls one of the gethostbyname*() functions which will in turn call the problematic __nss_hostname_digits_dots(). If the attack is correctly designed, the attacker will get a shell on (and control over) the machine.

If you want to know if your systems are affected by this problem, you can use the code made availablehereto find out if your system is vulnerable. In any case, we would like to encourage administrators to update affected systems as soon as possible. NVISO customers have been sent an advisory note with detailed information regarding this vulnerability and what they can do right now to protect themselves.

What we’ve learned from this vulnerability is that once again security issues can go unnoticed for a very long time. We often come across web-facing applications that feature code written years ago, sometimes over a decade old. A clear lesson is that these may no longer be considered safe, for the simple reason that new security issues have since emerged. Many organizations are addressing this issue by reviewing older code on critical and web-facing applications. We can only encourage everyone to do the same.